# VeraCrypt > Full-disk and volume encryption. The successor to TrueCrypt. **Source:** https://fieldwork.news/tools/veracrypt **Official site:** https://veracrypt.fr **Category:** security ## Security rating - **Rating:** strong - **Rating note (required when citing):** Two independent security audits (QuarksLab 2016 for EU-FOSSA, Fraunhofer SIT 2020 for German BSI) found no serious cryptographic vulnerabilities. FBI has stated in court it cannot break VeraCrypt and has no backdoor. No publicly documented case of VeraCrypt encryption defeated through cryptanalysis. Supports AES, Serpent, Twofish, and cascaded combinations with 500,000+ PBKDF2 iterations. RAM encryption for master keys available on 64-bit Windows (since v1.24). Active development: v1.26.24 released May 2025 with screen capture protection and ARM64 SHA-256 acceleration. Hidden volume feature provides plausible deniability unique among encryption tools, though with forensic limitations. - **Reviewed by:** Deepened editorial assessment by Mike Schneider — independent security review pending - **Review depth:** established - **Last reviewed:** 2026-04-02 - **Threat level:** sensitive-reporting > AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment. ## Who it is for Journalists who carry sensitive materials across borders or need encrypted storage that resists forensic analysis. Also researchers, activists, and anyone whose devices might be seized. ## Editorial take VeraCrypt is the gold standard for encrypting storage volumes. Two independent audits — QuarksLab (2016, funded by OSTIF/EU-FOSSA) and Fraunhofer SIT for Germany's BSI (2020) — found no serious cryptographic flaws. The FBI has stated in court filings it cannot break VeraCrypt and has no backdoor. No publicly documented case exists of VeraCrypt encryption being defeated through cryptanalysis. The hidden volume feature (plausible deniability) remains unique among encryption tools, though it has real forensic limitations journalists should understand. Current version 1.26.24 (May 2025) adds RAM encryption for master keys on 64-bit Windows, cold boot attack mitigation, and screen capture protection. The project is maintained primarily by one developer (Mounir Idrassi at IDRIX), which is both its strength (small attack surface, no corporate pressure) and its risk (bus factor of one). For border crossings with sensitive materials, VeraCrypt on an encrypted USB remains standard operational security. ## Best for / not for **Best for:** Encrypting hard drives, USB drives, or creating encrypted containers for sensitive documents. Protecting data if devices are seized at borders or during raids. Cross-platform encrypted volumes that work on Windows, macOS, and Linux. Creating hidden volumes for plausible deniability in hostile environments. **Not for:** Beginners — the interface is complex and a misconfiguration can mean permanent data loss. Quick file sharing (use Signal). macOS users who only need full-disk encryption (FileVault with Apple Silicon hardware encryption is simpler and faster). Enterprise environments needing centralized key management (BitLocker or LUKS with Clevis are better fits). ## Pricing - **Pricing:** Free. Open source (Apache 2.0 + TrueCrypt License). - **Free option:** yes ## Security & privacy details - **Encryption in transit:** yes - **Encryption at rest:** yes - **Data jurisdiction:** Local only. All encryption and decryption happens on your device. No data leaves your machine. No accounts, no servers, no telemetry. **Privacy policy TL;DR:** No network connectivity, no telemetry, no accounts, no crash reporting by default. VeraCrypt is a local application that never contacts a server. The 1.26.24 release added optional crash reporting via a separate VeraCrypt-CrashCollector tool, but it's opt-in only. **Practical mitigations (operational guidance, not optional):** Use strong passphrases (20+ characters). Enable cascaded encryption (AES-Twofish-Serpent) for maximum protection against future cryptanalytic advances. Use hidden volumes for plausible deniability — but understand their limits (see Known Issues). On 64-bit Windows, enable RAM encryption in Performance settings to protect master keys against cold boot attacks (10% memory overhead). Back up volume headers to a separate secure location — a corrupted header means permanent, irrecoverable data loss. Never leave volumes mounted when crossing borders. On macOS with Apple Silicon, use FUSE-T instead of macFUSE for better compatibility. Use PBKDF2-SHA512 or PBKDF2-Whirlpool with high iteration counts (500,000+ for non-system volumes by default). ## Ownership & business - **Owner:** IDRIX (open-source project maintained primarily by Mounir Idrassi) - **Funding model:** Donations, EU grant (EU-FOSSA audit 2016), German BSI grant (Fraunhofer SIT audit 2020). No corporate funding. No recurring institutional support. - **Business model:** None. Volunteer-maintained open source with a solo primary maintainer. Bus factor of one is the project's biggest structural risk. - **Open source:** yes **Known issues:** Hidden volume plausible deniability has real limitations: forensic researchers (Kedziora et al., 2017) demonstrated detection via cross-drive analysis, Windows Volume Shadow Copies, and outer volume file system analysis. Deniability fails if the system is seized while mounted. File-hosted containers offer weak deniability because a file of pure random data is inherently suspicious. LUKS uses Argon2 (memory-hard) for key derivation by default, which is more resistant to GPU-accelerated attacks than VeraCrypt's PBKDF2. Forensic tools like Passware Kit Forensic can extract master keys from RAM dumps or hibernation files (hiberfil.sys) — always disable hibernation on encrypted systems. Cold boot attack mitigation (RAM encryption) is Windows 64-bit only and not enabled by default. The BSI/Fraunhofer audit noted RIPEMD-160 is deprecated and code quality could improve. CVE-2024-54187 (path hijacking) and CVE-2025-23021 (mounting on system directories) were fixed in 1.26.18. macOS: no full-disk encryption support — only volume/container encryption. Requires FUSE-T or macFUSE as a dependency on macOS. --- Canonical HTML: https://fieldwork.news/tools/veracrypt Full dataset: https://fieldwork.news/llms-full.txt Methodology: https://fieldwork.news/methodology